The Health Insurance Portability and Accountability Act (HIPAA) is only weeks away. On April 14 the first major deadline for HIPAA Administrative Simplification compliance -- the HIPAA Privacy Rule -- arrives. The health care industry comprises more than 15% of the United States' Gross National Product, making HIPAA a huge deal in our country. Almost all people working in the health care industry, as well as most of the industry's business associates, are affected by the legislation. Can compliance be achieved overnight? No. Will an organization maintain HIPAA compliance without the help of every staff member? A resounding no! This leads us to the most fundamental element of HIPAA compliance -- people. How do you get to the point where you are ready to be HIPAA compliant? You've got to instill the proper mindset in your personnel.
At the risk of sounding cliche, HIPAA compliance is not about technology, and it's not about government regulations getting in the way of health care. It's about lowering health care administrative costs. It's about health care organizations standardizing specific transactions and code sets. And, perhaps most importantly, it's about protecting the privacy of everyone's health care information -- something that we all can benefit from. Sure, technology is involved in this, but it's the people, the average health care staffer, who will make or break an organization's ability to achieve compliance and embrace these new laws.
Instilling the proper mindset begins with creating a HIPAA-aware culture -- a new way of thinking and doing business within your organization. You and your management team must lead by example. New information is essential to success in achieving this task. You must expose yourself to the latest knowledge -- attend HIPAA seminars, workshops, conferences, search the Internet, read books -- and educate yourself in all aspects of HIPAA. You can then take this knowledge and start applying it to your everyday work habits. When you do this, people will notice.
One way you can help start a new way of thinking about HIPAA is to demonstrate its business value. Your employees don't need to hear "we're doing this because the government is making us." Tell them why the government is making you. Tell them about the money that can be saved by streamlining operations. Tell them about the risks involved in not securing health information. Show them anecdotal evidence. You have two choices: Persuade your employees that there is value in the HIPAA legislation and there are reasons why your organization must comply or have your employees persuade you. Don't wait for option two. You should already be on top of your organization's HIPAA compliance efforts without your employees having to tell you so. Effective guidance is key, and top-down influence is the best way to go.
Your key to persuasion is motivation. Look at HIPAA from a leadership role with long time perspective. Give examples of how HIPAA will pay off long term. Show your subordinates that you buy into HIPAA (you don't really have a choice do you?), talk about it within your organization in a positive way, and embrace it as a standard business practice moving forward. This will really increase your chances of employee buy-in.
Also, figure out what other things motivate your employees. Two major factors come into play here: The desire to gain something and move ahead, and the fear of losing something and falling behind. Most employees will be motivated to help the organization, and thus their careers, if the reasons to do so are communicated effectively. It will take some work up front to figure out your approach, but capitalize on this -- it will pay off.
So…you've got HIPAA-block? You're not alone. Many organizations simply won't be able to get rolling on HIPAA compliance without some outside assistance. If you determine that your organization's unique strengths and talents are insufficient to get started, that's OK. As a manager, it's your job to look for opportunities to free up your time and your employees' time so everyone can focus on their priorities and what they do best.
Having said that, you still can't completely rely on outside sources long term. Make sure that HIPAA becomes a core competency of your organization. You may outsource a lot of your HIPAA planning, implementation and ongoing auditing, but only you and the individuals in your organization can ensure that HIPAA compliance is maintained. This comes back to an understanding of what HIPAA is really about and making it a standard business operation.
I believe the 80/20 rule applies to your efforts to become and remain HIPAA compliant. 80% of your HIPAA results will come from 20% of your HIPAA-focused actions. Instilling the proper mindset should not only be in this top 20%, but in the top 5%. You don't have to make yourself, or anyone in your organization for that matter, a HIPAA expert overnight. Your past level of expertise in privacy, security and HIPAA matters shouldn't concern you. All that really matters is how you tackle this beast moving forward.
Remember, it's human nature to fear change. The new ways of doing business as mandated by HIPAA are a lot to swallow. It's your job to approach them wisely and communicate to your employees and colleagues why there's not only an opportunity to gain something but also an opportunity to avoid loss by embracing HIPAA. Keep your eye on the horizon and create a guiding vision that wears off on your employees. If you and your organization can affect this type of change, you'll be well on your way to effectively managing the whirlwind of business transformation that HIPAA has only begun to create.About the author
Kevin Beaver is president of the Atlanta-based information security consulting firm Principle Logic, LLC. He is currently co-authoring the upcoming book "The Practical Guide to HIPAA Privacy and Security Compliance" and is also a contributing author and editor of the book "Healthcare Information Systems, second edition" both by Auerbach Publications. As an expert on SearchSecurity.com, Kevin is available to answer your HIPAA questions.
This was first published in June 2006